)]}'
{"build/ci/README.md":[{"author":{"_account_id":1000000,"name":"Leopold Schabel","display_name":"Leo","email":"leo@monogon.tech","username":"leo","avatars":[{"url":"https://www.gravatar.com/avatar/98f8f79a6bb45adef37defa7ead8f3d2.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/98f8f79a6bb45adef37defa7ead8f3d2.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/98f8f79a6bb45adef37defa7ead8f3d2.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/98f8f79a6bb45adef37defa7ead8f3d2.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"change_message_id":"7522782fc9fd2fccb6c7125a020e11099449a211","unresolved":true,"context_lines":[{"line_number":49,"context_line":"are marked as \u0027trusted users\u0027. There is no formal process for community"},{"line_number":50,"context_line":"contributors to become part of this group, but we are more than happy to"},{"line_number":51,"context_line":"formalize such a process when needed, or appoint active community contributors"},{"line_number":52,"context_line":"to this group. Ideally, though, the CI system should be rebuilt to allow any"},{"line_number":53,"context_line":"external contributor to run CI in a secure and sandboxed fashion."},{"line_number":54,"context_line":""},{"line_number":55,"context_line":"CI implementation"},{"line_number":56,"context_line":"-----------------"}],"source_content_type":"text/x-gfm","patch_set":3,"id":"e0a205c8_5183038d","line":53,"range":{"start_line":52,"start_character":15,"end_line":53,"end_character":65},"updated":"2021-05-18 17:34:38.000000000","message":"Assuming the builder containers would run on a separate host... what\u0027s the security concern?","commit_id":"de14ea1e9e1a0ed38dd4aa4eb2c24fd6a26b9b50"},{"author":{"_account_id":1000000,"name":"Leopold Schabel","display_name":"Leo","email":"leo@monogon.tech","username":"leo","avatars":[{"url":"https://www.gravatar.com/avatar/98f8f79a6bb45adef37defa7ead8f3d2.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/98f8f79a6bb45adef37defa7ead8f3d2.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/98f8f79a6bb45adef37defa7ead8f3d2.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/98f8f79a6bb45adef37defa7ead8f3d2.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"change_message_id":"4d1a8364722a0c1271a113bed154edfe7c0b242d","unresolved":false,"context_lines":[{"line_number":49,"context_line":"are marked as \u0027trusted users\u0027. There is no formal process for community"},{"line_number":50,"context_line":"contributors to become part of this group, but we are more than happy to"},{"line_number":51,"context_line":"formalize such a process when needed, or appoint active community contributors"},{"line_number":52,"context_line":"to this group. Ideally, though, the CI system should be rebuilt to allow any"},{"line_number":53,"context_line":"external contributor to run CI in a secure and sandboxed fashion."},{"line_number":54,"context_line":""},{"line_number":55,"context_line":"CI implementation"},{"line_number":56,"context_line":"-----------------"}],"source_content_type":"text/x-gfm","patch_set":3,"id":"cb56dd5a_72733b96","line":53,"range":{"start_line":52,"start_character":15,"end_line":53,"end_character":65},"in_reply_to":"7f094a94_91795911","updated":"2021-05-18 18:14:06.000000000","message":"\u003e That, and be okay with running cryptocurrency miners (something pretty much every single public CI system now struggles with this).\n\nExcellent point - and one that isn\u0027t easy to solve even via sandboxing. Got it.","commit_id":"de14ea1e9e1a0ed38dd4aa4eb2c24fd6a26b9b50"},{"author":{"_account_id":1000002,"name":"Serge Bazanski","display_name":"Serge","email":"serge@monogon.tech","username":"serge","avatars":[{"url":"https://www.gravatar.com/avatar/52c41428b6369f2c02b9717425216f7d.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/52c41428b6369f2c02b9717425216f7d.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/52c41428b6369f2c02b9717425216f7d.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/52c41428b6369f2c02b9717425216f7d.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"change_message_id":"2fd9cb8167f168cddca0b56007114de8fa25285c","unresolved":false,"context_lines":[{"line_number":49,"context_line":"are marked as \u0027trusted users\u0027. There is no formal process for community"},{"line_number":50,"context_line":"contributors to become part of this group, but we are more than happy to"},{"line_number":51,"context_line":"formalize such a process when needed, or appoint active community contributors"},{"line_number":52,"context_line":"to this group. Ideally, though, the CI system should be rebuilt to allow any"},{"line_number":53,"context_line":"external contributor to run CI in a secure and sandboxed fashion."},{"line_number":54,"context_line":""},{"line_number":55,"context_line":"CI implementation"},{"line_number":56,"context_line":"-----------------"}],"source_content_type":"text/x-gfm","patch_set":3,"id":"7f094a94_91795911","line":53,"range":{"start_line":52,"start_character":15,"end_line":53,"end_character":65},"in_reply_to":"abfe011b_217a1996","updated":"2021-05-18 18:12:32.000000000","message":"The Jenkinsfile is still being executed by the controller. Letting users manipulate the Jenkinsfile without any vetting implies the following:\n\nYou have to rely on Groovy sandboxing for controller security.\n\nYou have to be okay with users messing around with gerritChecks/gerritComment/gerritLabel calls from the Jenkinsfile. I imagine this could easily be used to DoS the web interface, for example, by adding a ton of comments.\n\nYou have to be okay with users spawning thousands of parallel build jobs in the Jenkinsfile, filling up the build queue and DoSing our CI system. Or just opening a ton of CRs that do the same.\n\nYou have to be okay with users arbitrarily poking the build hosts and break them across subsequent runs, and that\u0027s true even with separate build hosts, as long as they\u0027re long lived and are directly running shell commands from users. That, and be okay with running cryptocurrency miners (something pretty much every single public CI system now struggles with this).\n\nYou have to be sure that your Jenkins controller is configured correctly and one of the hundred little knobs doesn\u0027t accidentally let everyone leak controller secrets by modifying the Jenkinsfile.\n\nI just don\u0027t know enough about Jenkins to be confident that this huge attack/complexity surface is something that we\u0027d like to let potentially malicious users poke at. Gating everything behind a human doing a manual check against potentially malicious changes seems like the only way to go without investing dozens of more hours into researching Jenkins security.","commit_id":"de14ea1e9e1a0ed38dd4aa4eb2c24fd6a26b9b50"},{"author":{"_account_id":1000000,"name":"Leopold Schabel","display_name":"Leo","email":"leo@monogon.tech","username":"leo","avatars":[{"url":"https://www.gravatar.com/avatar/98f8f79a6bb45adef37defa7ead8f3d2.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/98f8f79a6bb45adef37defa7ead8f3d2.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/98f8f79a6bb45adef37defa7ead8f3d2.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/98f8f79a6bb45adef37defa7ead8f3d2.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"change_message_id":"40ec01b5c4299e61aeea12aa65bab98ea299fbeb","unresolved":false,"context_lines":[{"line_number":49,"context_line":"are marked as \u0027trusted users\u0027. There is no formal process for community"},{"line_number":50,"context_line":"contributors to become part of this group, but we are more than happy to"},{"line_number":51,"context_line":"formalize such a process when needed, or appoint active community contributors"},{"line_number":52,"context_line":"to this group. Ideally, though, the CI system should be rebuilt to allow any"},{"line_number":53,"context_line":"external contributor to run CI in a secure and sandboxed fashion."},{"line_number":54,"context_line":""},{"line_number":55,"context_line":"CI implementation"},{"line_number":56,"context_line":"-----------------"}],"source_content_type":"text/x-gfm","patch_set":3,"id":"abfe011b_217a1996","line":53,"range":{"start_line":52,"start_character":15,"end_line":53,"end_character":65},"in_reply_to":"e0a205c8_5183038d","updated":"2021-05-18 17:45:25.000000000","message":"(question only, so marking resolved)","commit_id":"de14ea1e9e1a0ed38dd4aa4eb2c24fd6a26b9b50"}]}